CVE-2026-24949
Published: 20 February 2026
Summary
CVE-2026-24949 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-24949 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as DOM-Based Cross-site Scripting (XSS) under CWE-79, in the ThemeGoods PhotoMe WordPress theme. This flaw affects PhotoMe versions from n/a through 5.7.1 and was published on 2026-02-20.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no privileges required, and user interaction needed, with changed scope and low impacts on confidentiality, integrity, and availability. Remote attackers can exploit it by tricking users into interacting with malicious content, such as crafted links or inputs, leading to arbitrary script execution in the victim's browser context within the affected theme.
The Patchstack advisory provides details on this WordPress PhotoMe theme 5.7.1 XSS vulnerability, including mitigation guidance, at https://patchstack.com/database/Wordpress/Theme/photome/vulnerability/wordpress-photome-theme-5-7-1-cross-site-scripting-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7481
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods PhotoMe photome allows DOM-Based XSS.This issue affects PhotoMe: from n/a through <= 5.7.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
DOM-based XSS enables arbitrary JavaScript execution in the browser when a victim interacts with a crafted malicious link or input, directly facilitating T1204.001 (Malicious Link) for delivery and T1059.007 (JavaScript) for script execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of all inputs used in DOM construction, directly blocking the unneutralized attacker-supplied data that triggers CVE-2026-24949.
Mandates output filtering/encoding of data written to the DOM, neutralizing the malicious script payloads before they execute in the victim's browser context.
Deploys malicious-code detection and filtering mechanisms (e.g., WAF rules or browser protections) that can identify and block the crafted links used to exploit the DOM-based XSS.